Analysis

  • max time kernel
    44s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    16-01-2023 23:07

General

  • Target

    file.exe

  • Size

    534KB

  • MD5

    4715769b2a3a90dc8c939aec11c52bc1

  • SHA1

    1a1eeabc9d4758de67016ed1e06defd571107e63

  • SHA256

    7ce366cf2cc3e1787d552e5603568e1ce96496aacef73df9676b9a3fafe660db

  • SHA512

    308badf1be750b58399a3532b452a85cf345d222a1ec48949c99fd5cbe6505a79e8093b72ea117ef8b3963b8ddcbf2812907a5d8535b98c9480bb038fcdfe579

  • SSDEEP

    12288:j3RH/6XLdYJkrsi+u3bYIvz6D6bX1lbBLfzn6lU1F4Xla:DY5YgEmFpBr9yM

Score
8/10

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Sets service image path in registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"
      2⤵
        PID:1992
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
        2⤵
          PID:1160
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
          2⤵
            PID:544
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
            2⤵
              PID:584
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
              2⤵
                PID:676
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
                2⤵
                  PID:1884
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
                  2⤵
                    PID:560
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
                    2⤵
                      PID:2028
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
                      2⤵
                        PID:320
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
                        2⤵
                          PID:1292
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
                          2⤵
                            PID:1720
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
                            2⤵
                              PID:568
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1080
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 168
                                3⤵
                                • Program crash
                                PID:820

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/1080-56-0x0000000000400000-0x0000000000442000-memory.dmp

                            Filesize

                            264KB

                          • memory/1080-58-0x00000000766D1000-0x00000000766D3000-memory.dmp

                            Filesize

                            8KB

                          • memory/1080-60-0x0000000000090000-0x0000000000099000-memory.dmp

                            Filesize

                            36KB

                          • memory/2016-54-0x0000000001040000-0x00000000010C8000-memory.dmp

                            Filesize

                            544KB

                          • memory/2016-55-0x0000000000B60000-0x0000000000BE2000-memory.dmp

                            Filesize

                            520KB